Closed
Bug 657201
(CVE-2011-2368)
Opened 14 years ago
Closed 14 years ago
WebGL crash [@createProgram/@gldCopyTexSubImage]
Categories
(Core :: Graphics: CanvasWebGL, defect)
Tracking
()
RESOLVED
FIXED
mozilla6
| Tracking | Status | |
|---|---|---|
| firefox5 | + | fixed |
| status2.0 | --- | wanted |
| status1.9.2 | --- | unaffected |
| status1.9.1 | --- | unaffected |
People
(Reporter: posidron, Assigned: bjacob)
Details
(Whiteboard: [sg:critical?])
Attachments
(5 files)
|
16.15 KB,
application/zip
|
Details | |
|
17.10 KB,
text/plain
|
Details | |
|
16.13 KB,
text/plain
|
Details | |
|
17.10 KB,
text/plain
|
Details | |
|
1.02 KB,
patch
|
posidron
:
review+
asa
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
Sometimes it crashes in createProgram, sometimes in gldCopyTexSubImage.
The bug is currently only reproducible against:
ProductName: Mac OS X
ProductVersion: 10.6.7
BuildVersion: 10J869
OpenGL renderer string: ATI Radeon HD 6750M OpenGL Engine
OpenGL version string: 2.1 ATI-1.6.32
I have marked this as a security issue because I get some write violations at different places.
|
Reporter | |
Comment 1•14 years ago
|
||
|
|
Reporter | |
Comment 2•14 years ago
|
||
|
|
Reporter | |
Comment 3•14 years ago
|
||
|
|
Reporter | |
Updated•14 years ago
|
Summary: WebGL crash [@gldCopyTexSubImage] → WebGL crash [@createProgram/@gldCopyTexSubImage]
|
Assignee | |
Comment 4•14 years ago
|
||
Oh oh, really interesting! All 3 crashes have in common to be happening inside of glValidateProgram(). In bug 593867, we already decided to avoid calling glValidateProgram on Macs with NVIDIA cards. Now you're getting problems with a ATI card --> let's completely avoid glValidateProgram() which means that it wasn't NVIDIA specific.
|
|
Assignee | |
Comment 5•14 years ago
|
||
Chris, I had filed Apple bug 9129482, but it got closed as "missing information". It seems that this bug could use some pushing by an Apple insider ;-)
|
|
Assignee | |
Comment 6•14 years ago
|
||
Attachment #532643 -
Flags: review?(christoph.diehl)
|
|
Assignee | |
Comment 7•14 years ago
|
||
Note: it's also very interesting to have this on Mac OS 10.6.7. My Apple bug got closed as I was unable to confirm whether it still happened on 10.6.7.
|
|
Reporter | |
Comment 8•14 years ago
|
||
Fixed - thanks Benoit.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 9•14 years ago
|
||
We should keep this bug open until it's actually fixed in the tree! Please review my patch or tell me if you would like me to find someone else.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
Reporter | |
Comment 10•14 years ago
|
||
Oh. Sorry for closing it to early.
I already reviewed your patch, applied it to my build and checked it against the provided testcase. ;)
|
|
Assignee | |
Comment 11•14 years ago
|
||
Welcome to Mozilla bureaucracy: if you approve my patch, please click 'Details', then on the 'review' line, select '+'.
Then we will land it, paste here a link to the changeset, and finally close this bug.
|
|
Reporter | |
Updated•14 years ago
|
Attachment #532643 -
Flags: review?(christoph.diehl) → review+
|
|
Assignee | |
Updated•14 years ago
|
Attachment #532643 -
Flags: approval-mozilla-aurora?
|
||
Updated•14 years ago
|
status1.9.1:
--- → unaffected
status1.9.2:
--- → unaffected
status-firefox5:
--- → affected
tracking-firefox5:
--- → +
tracking-firefox6:
--- → ?
Whiteboard: [sg:critical?]
|
|
||
Updated•14 years ago
|
Attachment #532643 -
Flags: approval-mozilla-beta?
|
||
Updated•14 years ago
|
Attachment #532643 -
Flags: approval-mozilla-beta?
Attachment #532643 -
Flags: approval-mozilla-beta+
Attachment #532643 -
Flags: approval-mozilla-aurora?
|
|
||
Comment 12•14 years ago
|
||
Comment on attachment 532643 [details] [diff] [review]
really disable validateProgram() on Mac
Please land this change on both Aurora and Beta. (In the future, getting changes in during Aurora will save you this extra step.)
Attachment #532643 -
Flags: approval-mozilla-aurora+
|
|
Assignee | |
Comment 13•14 years ago
|
||
mozilla-central:
http://hg.mozilla.org/mozilla-central/rev/9ca849387799
I didn't realize that this was now sg-critical, sorry. Will land on aurora and beta ASAP.
|
|
Assignee | |
Updated•14 years ago
|
Status: REOPENED → RESOLVED
Closed: 14 years ago → 14 years ago
Resolution: --- → FIXED
|
|
||
Updated•14 years ago
|
Assignee: nobody → bjacob
|
|
Assignee | |
Comment 14•13 years ago
|
||
Pushed to Beta:
http://hg.mozilla.org/releases/mozilla-beta/rev/eba2dce26189
The fix was already on Aurora, as the Central->Aurora merge happened since I landed on Central.
|
|
||
Updated•13 years ago
|
tracking-firefox6:
? → ---
|
|
||
Updated•13 years ago
|
Attachment #532643 -
Flags: approval-mozilla-aurora+
|
||
Updated•13 years ago
|
Alias: CVE-2011-2368
|
|
||
Updated•13 years ago
|
Group: core-security
|
||
Comment 15•8 years ago
|
||
The workaround that was added in this issue is about 5 years old now. Marked down bug 1284425 to discuss if the workaround is relevant any more on recent OS X versions.
You need to log in
before you can comment on or make changes to this bug.
Description
•